How do i secure a webtask

How do i secure a webtask, to only allow processing events coming in from a specific auth0/webhook

From the Webtask

Doing this

wt create refresh-token.js  -s AUTH0_CLIENT_ID=XXXXX     -s AUTH0_CLIENT_SECRET=XXXXX  -s AUTH0_DOMAIN=XXXXX

Makes the command line variables available as context.secrets.AUTH0_CLIENT_ID and context.secrets.AUTH0_SECRET (also shows up under “webtask editor/secrets” tab)

Is this supposed to secure the webtask, i can still acess the url (froma browser), and see the output from the callback.

From the Webhook auth0 extension

The ‘Scheduled jobs/Secrets’ tab shows entries for AUTH0_* keys which i didnt explicitly set, what do they defaul to.

There are several methods to protect access to webtasks, depending on the use case. To restrict calls made from a Hook, you can think of it as a machine-to-machine flow, and use the Client Credentials Grant. In essence, your webtask will be the ‘API’, with the Hook being the client. Take a look at the following documentation that may be of help:

I was having trouble (submit button wouldnt respond)) copying a longish comment in markdown, hence replied to the email notification. Tried the inline editor, and splitting into multiple comments too.

I have this webtask

//hello.js

var wt = require('webtask-tools');

function webtask(context, req, res) { 
    console.log("from hello");
    console.log("EVENT TYPE:" + context.data.type);

    res.writeHead(200, { 'Content-Type': 'text/html '});
    res.end('<h1>FROM HELLO</h1>');
}

module.exports = wt.auth0(webtask);

I Run it like this:

wt create hello.js  -s AUTH0_CLIENT_ID=XXXXX     -s AUTH0_CLIENT_SECRET=XXXXX  -s AUTH0_DOMAIN=XXXXX

Configured auth0 webhook extension

Configured the autho API hook plugin with the AUTH0 ID, SECRET and DOMAIN, used in the ‘wt create’ call above.

LOGS (webhook and webtask)

I see this in the auth0 webhook extension logs:

12:13:07 PM: Unexpected response while sending request: {“code”:401,“message”:“Unauthorized.“,”error”:“Missing access token.“,”redirect”:“https://XXXXX-0.run.webtask.io/hello/login“}

And this in the webtask (wt logs):

[19:13:07.395Z]  INFO wt: finished webtask request 1492715587282.271021 with HTTP 401 in 89ms

Why isnt the webhook sending an access token in its request.

The current auth0/webhook extension does a plain POST to the webtask(webhook_url), the auth0 creds are only used to get the logs from auth0.

We could probably move the webtask(which deletes refresh tokens) to the point where a POST is done in the webhook, or we could modify the POST to do oauth. But we dont want to maintain our own version of the extension.

I guess what we want is a version of the webhook extension, that speaks oauth with the WEBHOOK_URL.

This blog post may be useful: https://auth0.com/blog/securing-webtasks-part-2-using-middleware/